使用AWS re:Post即您表示您同意 AWS re:Post 使用条款

IAM角色优先于KMS密钥策略

0

【以下的问题经过翻译处理】 我在我的账户中的“开发人员”角色上应用了一个“poweruseraccess”策略,该角色被多个用户使用。该角色允许访问AWS资源,因此任何具有此角色的人都可以使用KMS中的密钥加密/解密。我想限制特定kms密钥上的加密/解密操作。为此,我在此特定密钥的默认kms策略中添加了一个拒绝部分,如下所示。此项拒绝防止任何主体加密/解密操作,除非他们的用户ID是根(12345)或特定角色AROAADMINROLE(管理员帐户),AROALAMBDAROLE(assumerole)和IAM用户AIDAMYIAMUSER 。尽管存在明确的拒绝部分,但具有开发人员角色的用户仍能够使用该密钥进行加密/解密。请问有人能帮我找出问题所在吗?

类似的策略可用于限制我们的S3存储桶访问。我遵循这篇文章构建策略。https://aws.amazon.com/premiumsupport/knowledge-center/explicit-deny-principal-elements-s3/。下面的策略使用通配符和条件的StringNotLike来实现相同的原理。

** KMS策略 **

{
    "Id": "my-key-consolepolicy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345:user/my_iam_user"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ExplicitDenyEncryptDecryptAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userid": [
                        "12345",
                        "AROAADMINROLE",
                        "AROAADMINROLE:*",
                        "AIDALAMBDAROLE:*",
                        "AIDALAMBDAROLE",
                        "AIDAMYIAMUSER:*",
                        "AIDAMYIAMUSER"
                    ]
                }
            }
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::12345:user/my_iam_user",
                    "arn:aws:iam::12345:role/my_lambda_role"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}
profile picture
专家
已提问 1 年前17 查看次数
1 回答
0

【以下的回答经过翻译处理】 看起来您只是输错了,缺少了拒绝条件块的资源。

您的策略应该更改为:

        {
            "Sid": "ExplicitDenyEncryptDecryptAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Resource": "*" ,
            "Condition": {
                "StringNotLike": {
                    "aws:userid": [
                        "12345",
                        "AROAADMINROLE",
                        "AROAADMINROLE:*",
                        "AIDALAMBDAROLE:*",
                        "AIDALAMBDAROLE",
                        "AIDAMYIAMUSER:*",
                        "AIDAMYIAMUSER"
                    ]
                }
            }
        },

希望能帮助您!

profile picture
专家
已回答 1 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则